Risk and Reward in the Cloud

More hospitals are looking to the cloud as a viable way to store clinical, imaging, and financial data. Experts acknowledge its advantages, but caution it’s a step that requires careful planning and vetting of potential cloud vendors.

As healthcare IT leaders move forward with digitizing their electronic records, cloud computing is increasingly being considered a viable option for many provider organizations. The biggest upsurge of interest in the cloud has coincided with the digitization of clinical records.

As noted by Richard Temple, executive consultant at Beacon Partners Inc., Weymouth, Mass., computerization in provider organizations has shifted, from an initial focus around financial systems, to attention to clinical systems. With that shift, hospitals are faced with more stringent requirements for uptime, redundancy, and performance. Put simply, clinical data must be available any time, anywhere, Temple says—a higher standard than exists with financial data. “Hospitals aren’t necessarily geared up to be able to support a computing infrastructure of that magnitude,” he says.

Enter cloud computing, a growing service that many hospitals are embracing, and which experts interviewed for this story say offers new opportunities for sharing and leveraging data for new healthcare models such as health information exchanges, accountable care organizations, and secondary uses in research.

But there is a catch: moving data to the cloud by definition involves relinquishing direct control over data, and with it comes substantial risk in terms of performance, privacy, and security. Yet liability for anything that goes wrong on any of those fronts falls squarely on the provider organization, and of course, more specifically on the CIO and his or her team.

PUTTING IN PROTECTIONS

Temple and others interviewed for this article stress the need to thoroughly vet a cloud vendor, and to have iron-clad service-level agreements in place that specify performance expectations and guarantees, before signing any contract. At a minimum, one must make sure that the cloud vendor has SSAE-16 (formerly SAS-70) certification that requires that the cloud host will adhere to best practices at a very high level, he says.

Richard Temple

He also advises having a good business associate agreement in place that ensures that data is secured, backed up and encrypted. He recommends that the hospital should have the right to conduct audits and require the cloud host to send the hospital an attestation of continued compliance on an annual basis. He adds that the hospital should have the right to approve subcontracting, and to ensure that it will be compliant with the Health Information Portability and Accountability Act (HIPAA).

Temple recommends confirming that there is a disaster recovery plan in place. It’s important to know how the data is stored off site, and how quickly it can be recovered in the event of a disaster, he says. When it comes to disaster recovery, hospitals should strive to be recognized as a partner. This means obtaining a guarantee that the cloud vendor’s IS group will work with the hospital to recover the data, and participating with the cloud vendor in any disaster recovery drill.

Diana McKenzie is partner and chair of the Information Technology and Outsourcing Group at Hunter, Maclean, Exley & Dunn, P.C., Savannah, Ga. “The cloud is great, but the trick is that the customer doesn’t have control of their data, and yet it is still legally responsible for it,” she says. Her advice, especially for providers that are new to the cloud, is to not forget the basics. Often, “when we get into these newer contracts, clients are excited about the newness of it and forget about the basic things they always need to protect. All the things you always needed in every other IT contract, you need here too,” she says.

She advises getting a lawyer or consultant (preferably one who has lots of experience in healthcare) involved in putting together an RFP, and to include legal questions about risk mitigation and liability for the vendor to respond to. “You want the information for competitive reasons, but it will also give you a good sense of how comfortable they are in protecting your data, and what they are willing to commit to in writing,” she says.

McKenzie says there is no substitute for due diligence when evaluating vendors. “You have to put out requests for proposals to see what vendors can and cannot do, and compare them,” she says. She recommends using social media to get feedback from a vendor’s existing customers, a tactic used by one of her clients. “Tweet, use social media; user groups and conferences are also helpful, as well as basic online searches,” she says.

In the regulatory arena, she advises healthcare providers to make sure that cloud vendors are able to comply with state privacy laws, which vary greatly from state to state. Hospitals have to comply with the state laws, where the patient lives, she notes. “Hospitals located in resort areas or offering a specialty may treat many patients from out of state, and must comply with many different laws. You have to make sure your cloud vendor is capable of doing that,” she says.

TESTING THE WATERS

Despite the litany of precautions, the cloud is making inroads with healthcare organizations.